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Let’s play the game. 


Yet another way to perform penetration test. 
Russian “red team exercise” experience from QIWI. 


Kirill ‘isox’ Ermakov 


www.zeronights.org 
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e Known as ‘iSox’ 


e Web penetration tester 
e QIWI CTO/CISO 


e Member of “hall-of-fames” (Yandex, Mail.ru, Apple, 
and so on) 


e JBFC participant*  % 
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Captain obvious 


e Penetration testing 

e Just a way to check your security controls 
e “Fast and dirty assessment” 

e Performed by qualified specialists 

e Part of PCI DSS certification as example 

e Independent security review 

e Need2do for security-aware companies 
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Traditional approach 


e Single team (2-5 members) 

e External, Internal and social-technology 
e Restricted vectors and scenario 

e Attackers whitelist 

e No private information about a target 

e Social attacks are often prohibited 

e Limited attacks daytime 
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Pentester point of view 


e Target-independent work scenario 
e 1/3 time for well known vectors 

e 1/3 time for new research 

e 1/3 time for automated scanners 

e No physical security bypass 

e Limited social attacks 

e Same story every time 
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e They call it “Red-team”: 
e Security team is not notified 
e Trying to simulate “real” attack 
e Still a lot of restrictions and limits 
e One team 
e No information about the internals 
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Anyway cover is not enough 


e Blind zones 

e Time limits 

e Does not use all available vectors 

e Too much accurate and ethic 

e Does not really looks like real hackers attack 


e Pentest team insufficient resources 
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Hack me plz! 


e Lets make a big (dream?) team 
e Let them work on their own! 
e No more “secret pentest technique” 


e Forget “don’t attack that” and “don’t bruteforce us 
after 6PM” 


e Scope = everything 
e Not kidding. Really everything. 


e No preparations from security team 
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No restrictions 


e Social attacks 

e Malware 

e Account bruteforce 

e Odays 

e Night/weekend attacks 
e Physical penetration 

° DOS 

e Drop-devices 

e Personal devices hijack 
e Employee bribe 
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e Sharing private information 
e Network map 

e Critical assets 

e Security specialist as insider 
e Hints and advises 
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Deep penetration 


e Physical security bypass 


e Drop-devices: 
e Wi-Fi and LAN back connects 
e Cable manipulations 
e USB Flash with malware 


e Live social engineering 
e Stealing laptops/pads/phones 
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Security reactions 


e Security team awareness check 


e Real incident investigation 

e Bans and account lockouts 

e Live system tuning 

e Cooperation with physical security 

e Logs, cameras, events and a lot of fun! 
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Challenge and goals 


e For penetration team: 
e Application or SYS account for DB 
e AD enterprise administrator account 
e *nix root / admin account 
e Access to any critical system 
e For security team: 
e Defend your home 


And there is only one rule: no rules 
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QIWI Red Team Exercise 


e Attackers: HONSEC & #DSEC 

e Defenders: #QIWI security team 
e Insider: CISO (me) 

e Timeline: 2.5 month 


e Attack Goal: 
e SYSDBA, root, Enterprise Administrator 
e Security team goal: 


e Notice at least 90% attacks and intrusions 
e Defend 
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-Weeks of pain 


e 7 social attacks in 2 weeks 
e Few times of “emergency” 
e System crashes 


e Ordinary users butthurt: 
e Locked accounts 
e Soam/phishing emails 
e Viruses 


e Malware investigations 
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Really cool vectors 


e Successful office building intrusion 

e Wi-Fi’ed and LAN’ed laptops gateways 
e Mac OS X domain issues 

e Smart House hacking 

e Power Supply takeover 

e Compiling dsniff for DVR 


.. even more in @dOznpp presentations 
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And we lost this game 


e System accounts were compromised 
e Social engineering as a best attack vector 
e SSH access to security team member’s Macbook 


e Downloaded dumps of network devices with 
password hashes 


e Tons of successful brutes 
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Successful vector 


e Gained credentials using social engineering 
e Loss of isolation in guest Wi-Fi network 
e Laptops, connected both to cable networks and Wi-Fi 


e Bad MacOS active directory configuration, allowing 
any AD account to connect using SSH 


e Keeping sensitive data plaintext in ~/ 
e Insufficient monitoring of the office traffic 
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Results 


e Better than one-team classics 

e Simulate near real hacker attacks 

e Excellent scope fulfill 

e Testing security as it is, not as it wants to be 
e You will be disappointed in your security toys 
e ‘Little’ bit expensive 

e Systems will crash sometimes 
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See ya! 


e Thanks to @videns for a good trip to the Troopers 
e Thanks to #DSEC and #ONSEC for a great job 


e Excuses to my security team for this two and a half 
months of hell 


e Any questions? 
e Contact: isox@qiwi.com 
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